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- The MAILING DATE of this communication appears on 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
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after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 
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2a)M This action is FINAL. 2b)D This action is non-final. 

3) D An election was made by the applicant in response to a restriction requirement set forth during the interview on 

; the restriction requirement and election have been incorporated into this action. 

4) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 
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DETAILED ACTION 

1. This office action is in response to amendment filed on 07/ 18/201 1. 
Claims 6 and 29 were previously canceled. Thus claims are 1-5, 7-28 
and 30-33 are pending. Claims 1, 12, 23 are independent. Each 
independent claim (1,12 and 23) is amended. 

Priority 

2. This application does not claim priority. Therefore, the effective filling 
data for the subject matter defined in the pending claims of this 
application is 10/03/2003. 

Response to Arguments 

3. Applicant's arguments filed on 07/ 18/201 1 have been fully considered 
but are moot in view of the new ground(s) of rejection. 
Examiner Note : Each independent claim is amended and the following 
limitation is added on each independent claim 1, 12 and 23, " wherein 
said remotely located computing resource is modified by said 
unauthorized intrusion ". A further review and consideration of this 
particular claim revealed that "Admitted prior art" actually discloses this 
particular limitation. In view of this understanding the following new 
ground of rejection is applied. 
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4. The following is a quotation of 35 U.S.C. 103(a) which forms the 

basis for all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically 
disclosed or described as set forth in section 102 of this title, if the 
differences between the subject matter sought to be patented and the 
prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall 
not be negatived by the manner in which the invention was made. 



5. Claims 1-5. 7-28 and 30-33 _ are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Talpade et al (hereinafter referred as 
Talpade)(U.S. Publication No. 2004/0148520) (filed on January 29, 
2003) in view of Maguire et al (hereinafter referred as Maguire) (US 
Publication No. 2003/0208606 Al filed on May 4, 2002) and further in 
view of over admitted prior art (hereinafter referred to as Admission) 



6. As per independent claims 1. 12 and 23 T alpade discloses a method 
for responding to network intrusions, comprising: [Abstract] 

• a) receiving an intrusion detection system (IDS) alert from an 
IDS sensor [Figure 2, ref. Num. "234" and "236"/ sensor] located in a 
network of computing resources [figure 2, ref. Num. "204", customer 
network or Figure 2, ref. Num "206"] wherein said IDS alert indicates an 
unauthorized intrusion upon a remotely located computing resource 
in said network of computing resources; [Abstract] (As explained on the 
abstract, A sensor shown on figure 2, ref. Num "214" and "236" examines 
the traffic entering the remotely located customer network shown on figure 
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2, ref. Num. "204" and "206" for attack traffic. When an attack is detected, 
the sensor notifies an analysis engine (figure 2, 232) located within the ISP 
network to mitigate the attack. Therefore the analysis engine as shown on 
figure 2, ref. Num "232" which is also located remotely with respect to the 
customer computing resource network shown on figure 2, ref. Num "204" 
and "206" is notified the IDS alert indicating an unauthorized 
intrusion/ attacks) 

•b) identifying said IDS alert;/See paragraph 0023] (The analysis engine 
shown on figure 2, ref. Num "232" identifies the DDoS attacks/ intrusion 
when receiving a DDoS notification/ intrusion notification from the sensor 
located remotely as shown on figure 2, ref Num "234" and "236" ) and 

• c) determining an appropriate response to said IDS alert [For 
example see Abstract, "the analysis engine as appropriate response to 
said IDS alert/ notification for instance, configures a filter router to 
advertise new routing information"] that is identified at a location 
separate from said remotely located computing resource [figure 2 and 
Abstract] (The computing resources are located in side the customer 
network shown on figure 2, ref Num "204" and "206", however the Ids 
alert is identified first at the sensor located at the sensor shown on figure 
2, ref. Num "234" and "236" which is separate from said remotely located 
computing resource located inside the customer network shown on figure 
2, ref. Num "204" and "206". Furthermore, the Ids alert is also identified at 
the analysis engine shown on figure 2, ref. Num "232" which is also 
separate from said remotely located computing resource located inside the 
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customer network shown on figure 2, ref. Num "204" and "206"] so that 
said determining said appropriate response is unaffected by said 
unauthorized intrusion (As explained on the abstract, A sensor shown 
on figure 2, ref. Num "214" and "236" examines the traffic entering the 
remotely located customer network shown on figure 2, ref. Num "204" and 
"206" for attack traffic. When an attack is detected, the sensor notifies an 
analysis engine within the ISP network to mitigate the attack. Therefore 
the analysis engine as shown on figure 2, ref. Num "232" which is also 
located remotely with respect to the customer computing resource network 
shown on figure 2, ref. Num "204" and "206" is notified the IDS alert 
indicating an unauthorized intrusion/ attacks and an appropriate response 
to said unauthorized intrusion is taken by the analysis engine such as 
configuring a filter router or diverting the traffic. Therefore such appropriate 
response is unaffected by said unauthorized intrusion.) ; and 

• d) automatically implementing said appropriate response to 
mitigate damage to said network of computing resources from said 
unauthorized intrusion by isolating said remotely located computing 
resource. [Paragraph 0024-0027 and abstract] (See for instance on 
paragraph 0024, "automatically mitigates the attack by configuring one or 
more filter routers. Furthermore as it is explicitly disclosed on the abstract, 
When an attack is detected, the sensor notifies an analysis engine within 
the ISP network to mitigate the attack. The analysis engine configures a 
filter router to advertise new routing information to the border and edge 
routers of the ISP network. The new routing information diverts/ reroute all 
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traffic (attack traffic/ intrusion and non-attack traffic) destined for the 
customer network to the filter router. Therefore by doing so, the remotely 
located computing resource/ customer network is isolated from receiving 
anu traffic what so ever, until the filter router, filters and remove the attack 
traffic. It is onlu gfter the attack traffic/ intrusion is filtered at the filter 
router that the non-attack traffic is passed back onto the ISP network for 
routing towgrds the customer network . Therefore it is undoubtedlu clear 
that the computing resource is isolgted from unauthorized intrusion/ attgck 
traffic, so that the appropriate response to mitiggte the damgge to the sgid 
network of computing resources is automaticgllu implemented. ") 

Talpade, does not expressly disclose the following limitation: 
"wherein said implementing said appropriate response comprises 
interfacing with a power controller that controls power to said computing 
resource to shut power to said computing resource" recited in claim 1 
and "wherein said implementing said appropriate response comprises 
interfacing with at least one switch, an associated switch, in said 
network of computing resources to virtually reconfigure said associated 
switch in order to virtually isolate said computing resource from 
remaining computing resources in said network of computing resources" 
recited in claim 12 and 23. 

However, in the same field of endeavor Maguire on paragraph 0027, 
0030-0031, 0032; 0039 and figure 3A/3b discloses the above limitations. 
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For instance at least on paragraph 0032 the following has been discloses 
which meets the above limitation. 

"As illustrated in FIGS. 3A and 3B, switching component 32 1 ("switch") is 
generally coupled to interface 320 and may be operative selectively to 
disable data communication between a device and the network 
substantially as described above. When an appropriate signal is received 
at input 330, for example, switch 32 1 may prevent communication of 
data through interface 320: in that regard, operation of switch 32 1 may 
have the same effect as physically disconnecting the communication 
cable (erg. Ethernet or coaxial cable, telephone cord, etc.) from access 
device 1 1 1 or client 112. Switch 32 1 may be embodied in a circuit 
element or other hardware component, for example, or in software 
programming code or firmware instruction sets; irrespective of its 
implementation, switch 32 1 may be configured to render data transfer or 
network communications through interface 320 inoperative responsive to 
a signal or to other acts or events." 

It would have been obvious to one having ordinary skill in the art, at the 
time the invention was made, to implement in the system of Talpade, a 
mechanism to use the features such as "implementing said appropriate 
response comprises interfacing with a power controller that controls 
power to said computing resource to shut power to said computing 
resource" and "wherein said implementing said appropriate response 
comprises interfacing with at least one switch, an associated switch, in 
said network of computing resources to virtually reconfigure said 



Application/Control Number: 10/678,333 Page 8 

Art Unit: 2432 

associated switch in order to virtually isolate said computing resource 
from remaining computing resources in said network of computing 
resources" as taught by Maguire because this would enhance and 
strengthen the security of the system by isolating the computing 
resources form the IDS attack. [See Maguire; Paragraph 0027, 0031, 
0032 and 0039] 

The combination of Talpade and Maguire, does not expressly 
disclose the following amended limitation: "wherein said remotely located 
computing resource is modified by said unauthorized intrusion " 

However, Examiner would like to point out that, IDS system that is 
designed to take the necessary action after unauthorized intrusion has 
already modified the computing resources /assets is well know. In fact, 
Admission on at least page 3, lines 1-2 clearly indicates how 
conventional IDS systems provide solutions to mitigating damage after a 
successful attack or intrusion have already taken place. This implies that 
the computing resource is somehow modified by unauthorized intrusion 
and this meets the limitation recited as " wherein said remotely located 
computing resource is modified by said unauthorized intrusion" 

Furthermore on page 2, lines 1-2, Admission discloses the following 
which meets the above amended limitation. 

" Intrusion detection systems (IDS) provide alerts when a breach of 
security has occurred to applications and operating systems of IT 
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resources within a data center and this also meet the limitation recited 
as "wherein said remotely located computing resource is modified by said 
unauthorized intrusion" 

Finally Admission on page 2, lines 20-23 discloses the following, "Or, the 
network administrator might remotely access and use a tool which powers 
down the system or disconnects the IT resource from the network. As such, 
the response time may not occur quickly enough before damage has 
been done to the IT resource or the data center " 
And this also meets the limitation recited as "wherein said remotely 
located computing resource is modified by said unauthorized intrusion" 

It would have been obvious to one having ordinary skill in the art, at the 
time the invention was made, to implement in the system of the Talpade 
and Mauire, a mechanism to add extract features such as " wherein said 
remotely located computing resource is modified by said unauthorized 
intrusion " as taught by Admission because this would enhance and 
strengthen the security of the system by providing comprehensive 
Intrusion detection system that will counteract IDS attack not only 
before computer resources are modified by intrusion but also after the 
resource is modified by IDS attack. 
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7. As per dependent claims 2, 13 and 24 the combination of Talpade, 
Maguire and Admission discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Talpade 
discloses the method wherein, wherein a) further comprises: al) 
detecting a suspicious intrusion into said computing resource; 
[Abstract and figure 2 and particularly, figure 2, ref Num "234"/ sensor,] 
(The computing resources are inside the customer network shown on 
figure 2, ref. Num "204" and "206") 

a2) determining said suspicious intrusion is unauthorized; 

[Paragraph 001 7] (Sensor detects an attack) a3) generating said IDS 
alert; [See, Abstract, notification generated by the sensor] and a4) 
sending said IDS alert to an IDS manager that is located remotely 
from said computing resource within said network of computing 
resources. [Paragraph 0024, "the IDS alert/ notification is sent to the 
Analysis engine and consequently to the ISP policy manager. Therefore ISP 
manager located remotely is notified and this meets the limitation of 
sending said IDS alert to an IDS manager that is located remotely from 
said computing resource within said network of computing resources.] 

8. As per dependent claims 3, 14 and 25 the combination of Talpade, 
Maguire and Admission discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Talpade 
discloses the method, wherein a2) further comprises: determining 
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said suspicious intrusion is unauthorized when said suspicious 
intrusion matches with at least one of a list of unauthorized 
intrusions. [Figure 2, ref. 248 "filter sensors in side the sensors shown on 
figure 2, ref Num. "234" and "236", filtering inherently contains matching] 

9. As per dependent claims 4, 15 and 26 the combination of Talpade, 
Maguire and Admission discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Talpade 
discloses the method, wherein a2) further comprises: detecting said 
suspicious intrusion at a host-based intrusion detection system 
(HIDS) sensor located on said computing resource. (See sensor located 
within said network of computing resources shown on figure 2, ref. Num 
"234" and "236" and see also Maguire sensor figure 2A, Ref Num "220") 

10. As per dependent claims 5. 16 and 27 the combination of Talpade 
Maguire and Admission discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Talpade 
discloses the method, wherein comprises: detecting said suspicious 
intrusion at a network-based intrusion detection system (NIDS) 
sensor located within said network of computing resources. [See 
sensor located within said network of computing resources shown on 
figure 2, ref Num "234" and "236" and see also Maguire sensor figure 2B, 
Ref Num "220) 
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11. As per dependent claims 7, the combination of Talpade Maguire and 
Admission discloses a method for responding to network intrusions 
as applied to claims above. Furthermore Maguire discloses the 
method, wherein d) further comprises: dl) interfacing with at least 
one switch, an associated switch, in said network of computing 
resources to virtually reconfigure said associated switch in order to 
virtually isolate said computing resource from remaining computing 
resources in said network of computing resources. [See Maguire at 
least figure 3 and paragraph 0027, 0031-0032 and 0039] 

12. As per dependent claims 8. 19 and 30. the combination of Talpade 
Maguire and Admission discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Maguire 
discloses the method, wherein said associated switch comprises an 
Ethernet switch. [See paragraph 0032, "When an appropriate signal is 
received at input 330, for example, Switch 321 may prevent 
communication of data through interface 320; in that regard, operation of 
switch 321 may have the same effect as physically disconnecting the 
communication cable (erg. Ethernet or coaxial cable, telephone cord, etc.) 
from access device 111 or client 1 12"] 

13. As per dependent claims 9, 20 and 31, the combination of Talpade 
Maguire and Admission discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Maguire 
discloses the method, wherein said associated switch comprises a 
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Storage Area Network (SAN) switch. [See the network switch recited on 
abstract and figure 3 A, broadly meets this limitation.] 

14. As per dependent claims 10. 21 and 32. the combination of Talpade 
Maguire and Admission discloses a method for responding to 
network intrusions as applied to claims above. Furthermore Maguire 
discloses the method, wherein said associated switch comprises a 
SAN switch [See the network switch recited on abstract and figure 3A, 
broadly meets this limitation] and an Ethernet switch [See paragraph 
0032, "When an appropriate signal is received at input 330, for example, 
Switch 321 may prevent communication of data through interface 320; in 
that regard, operation of switch 321 may have the same effect as 
physically disconnecting the communication cable (erg. Ethernet or coaxial 
cable, telephone cord, etc.) from access device 111 or client 1 12"] 

15. As per dependent claims 11. 17 and 33. the combination of Talpade 
Maguire and Admission discloses a method for responding to 
network intrusions as applied to claims above. Furthermore 
Admission discloses the method, wherein said network of computing 
resources comprises a provisional data center. [Page 2, lines 23, "data 
center" and See also Talpade,on paragraph 0007, SOHO, Small office 
customer/home office customer which are located inside the Figure 2, ref. 
Num "204" and "206" inherently contains some kinds of data center.) 

16. As per dependent claim 18. the combination of Talpade Maguire and 
Admission discloses a method for responding to network intrusions 
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as applied to claims above. Furthermore Maguire discloses the 
method wherein said switch couples said computing resource to a 
virtual local area network. [See abstract, figure 3 and paragraph 0032 
and abstract] 



17. As per dependent claims 22 the combination of Talpade, Maguire 
and Admission discloses a method for responding to network 
intrusions as applied to claims above. Furthermore Maguire 
discloses the method, wherein automatically interfacing with said 
associated switch in said network of computing resources; and 
automatically interfacing with said power controller. [See Maguire 
paragraph 0027, 0031-0032 and 0039 and figure 3] 

18. As per dependent claims 28 the combination of Talpade, Maguire 
and Admission discloses a method for responding to network 
intrusions as applied to claims above. Furthermore Maguire 
discloses the method, wherein d) in said method further comprises: 
dl) interfacing with a power controller that controls power to said 
computing resource to shut power to said computing resource. [See 
Maguire paragraph 0027, 0031-0032 and 0039 and figure 3] 
Conclusion 



19. Applicant's amendment necessitated the new ground(s) of rejection 

presented in this Office action. Accordingly, THIS ACTION IS MADE 
FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of 
time policy as set forth in 37 CFR 1.136(a). 



Application/Control Number: 10/678,333 
Art Unit: 2432 



Page 15 



A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first 
reply is filed within TWO MONTHS of the mailing date of this final action 
and the advisory action is not mailed until after the end of the THREE- 
MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension 
fee pursuant to 37 CFR 1. 136(a) will be calculated from the mailing date 
of the advisory action. In no event, however, will the statutory period for 
reply expire later than SIX MONTHS from the date of this final action. 



Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to Samson B Lemma whose 
telephone number is 571-272-3806. The examiner can normally be 
reached on Monday-Friday (8:00 am— 4: 30 pm). 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, BARRON JR GILBERTO can be reached on 571- 
272-3799. The fax phone number for the organization where this 
application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status 
information for published applications may be obtained from either 
Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more 
information about the PAIR system, see http://pair-direct.uspto.gov. 
Should you have questions on access to the Private PAIR system, contact 
the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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Primary Examiner, Art Unit 2432 



